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(54) Method and system for evaluating information security 

(57) A method and system for evaluating informa- 
tion security and developing an effective information 
security infrastructure for an entity makes use of an 
information security evaluation model having, for exam- 
ple, five levels with varying characteristics which explain 
where the entity stands with regard to threats and vul- 
nerabilities to its information security at any point in 
time. The evaluation can be performed manually or 
automatically by a computer program running, on a 
computer, such as a personal computer and includes, 
for example, identifying one or more information 
resources of the entity, receiving information about one 
or more information security characteristics for the iden- 
tified resource, categorizing the information security 
characteristic or characteristics according to a pre- 
defined hierarchy of risk levels, and assessing a degree 
of business risk for the entity based on the categoriza- 
tion. 
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Description 

CROSS REFERENCE TP RELATED APPLICATIONS 

[0001] This application claims the benefit of US. 
Provisional Application No. 60/107,464 filed November 
6.1998. 

FIELD OF THE INVENTION 

[0002] The present invention relates generally to 
the field of evaluating information security, and, in par- 
ticular, to a method and system for evaluating and 
developing an effective information security infrastruc- 
ture. 

BACKGROUND OF THE INVENTION 

[0003] Organizations of all sizes, for example, small 
businesses, as well as large businesses, are currently 
at varying levels of security with respect to information 
systems, such as their computer systems and networks, 
which present varying levels of business risk in their 
daily operations. Generally, such organizations have no 
effective way to determine whether they are information 
security astute and whether they have the proper pro- 
grams and services in place to be considered astute 
regarding the security of their information. Further, even 
if they have some systems in place to deal with inci- 
dents which may compromise the security of their infor- 
mation, they have no effective way to guarantee 
whether they are in a highly alert state of readiness or 
simply a mediocre state of readiness if such an incident 
occurs. Nor do they have an effective way to evaluate 
whether particular programs which may be in place are 
in place at the optimum point to deal with such inci- 
dents. 

[0004] Many of such entities operate under the mis- 
taken assumption that their information is secure or, for 
example, that an intruder or hacker would not be moti- 
vated to try to gain access to their information systems. 
Likewise, many such entities mistakenly assume that 
their employees are aware of and in compliance with the 
entities' requirements for maintaining and working in a 
secured environment relative to the entities' information 
systems. Such entities operate under the assumption, 
but without any assurance, that information relative to 
their products and services is confidential and will 
remain confidential. They assume that their level of risk 
for a security breach is low, when indeed the level of risk 
of such a breach may be very high. Such unwarranted 
assumptions themselves create an additional level of 
business risk. 

[0005] various attempts have been made to 
address the problems associated with evaluating and 
developing effective information security infrastructures 
at different levels of businesses with different levels of 
sophistication using various levels of technology. Some 



of such attempts work in some parts of business, and 
others work on information technologies only. Some are 
paper-based. However, none have been particularly 
successful or effective in encompassing, defining, and 

5 classifying vulnerabilities, risk, and threats and provid- 
ing information security infrastructure solutions at all 
levels of business and technology. 
[0006] There is a current need to provide a rela- 
tively simple and efficient method and system for evalu- 

10 ating existing information security and for developing an 
effective information security infrastructure. 

SUMMARY OF THE INVENTION 

15 [0007] It is a feature and advantage of the present 
invention to provide a method and system for evaluating 
and developing an effective information security infra- 
structure which defines a set of controls for assessing 
and compensating for vulnerabilities in each organiza- 

20 tional component, such as technology and business 
processes. 

[0008] It is a further feature and advantage of the 
present invention to provide a method and system for 
evaluating and developing an information security infra- 
25 structure which furnishes a means for defining and clas- 
sifying the degree of risk associated with information 
assets, where the risk is defined as the economic value, 
worth or exposure or the reputational impact of an infor- 
mation asset 

30 [0009] It is another feature and advantage of the 
present invention to provide a method and system for 
evaluating and developing an information security infra- 
structure which assists an organization in determining 
the nature of threats or vulnerability to the organiza- 

35 tion's information systems. 

[0010] It is an additional feature and advantage of 
the present invention to provide a method and system 
for evaluating and developing an information security 
infrastructure which affords tools for assessing and ana- 

40 tyzing the impact of threats to an organization's informa- 
tion systems and recommends solutions to deal with 
such threats. 

[0011] To achieve the stated and other features, 
advantages, and objects, an embodiment of the present 

45 invention method and system for evaluating information 
security for an entity which makes use of an information 
security evaluation model grid having, for example, five 
different levels with varying characteristics which 
explain where the entity stands with regard to informa- 

50 Hon security risks at any given time. The method and 
system for an embodiment of the present invention 
includes, for example, identifying one or more informa- 
tion security resources related to an information secu- 
rity area of the entity, such as an organizational 

55 environment area, a business commitment area, a pol- 
icy and standards area, and an information security pro- 
grams and service area of the entity. The identification 
can be performed either manually or can be received on 
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a computer program running on a computer, such as a 
personal computer. 

[0012] In the method and system for an embodi- 
ment of the present invention, the information resources 
related to the organizational environment area of the 
entity relates, for example, to one or more corporate 
structure resources and responsibility and accountabil- 
ity resources. The business commitment area of the 
entity relates, for example, to one or more management 
resources, funding resources, incident management 
resources, awareness and education resources, opera- 
tions resources, information ownership resources, and 
information classification resources. The policy and 
standards area of the entity relates, for example, to one 
or more existence and maintenance resources and 
enforcement and measurement resources. The infor- 
mation security programs and services area of the 
entity relates, for example, to one or more prevention 
resources, detection resources, and verification 
resources. 

[0013] In the method and system for an embodi- 
ment of the present invention, information is received 
about one or more information security characteristics 
for the identified information security resource which is 
indicative of a pre-defined risk level for the information 
security of the entity and which also indicates a pre- 
defined level of readiness of the entity to deal with a risk 
to the information security of the entity. The pre-defined 
levels of readiness include, for example, a complacent 
level of readiness, an acknowledgment level of readi- 
ness, an integration level of readiness, a common prac- 
tice level of readiness, and a continuous improvement 
level of readiness. Likewise, the information can be 
gathered and received manually or can be received by 
entering on the computer program running on a compu- 
ter, such as a personal computer. 
[0014] In the method and system for an embodi- 
ment of the present invention, the complacent level of 
readiness is characterized by a propensity of the entity 
to resignation to the current information security envi- 
ronment of the entity. The acknowledgment level of 
readiness is characterized by a propensity of the entity 
to acknowledgment of a need to improve the information 
security of the entity. The integration level of readiness 
is characterized by a propensity of the entity to integrate 
existing information security programs and services of 
the entity. The common practice level of readiness is 
characterized by a propensity of the entity to customar- 
ily practice information security procedures for the 
entity. The continuous improvement level of readiness is 
characterized by a propensity of the entity to continu- 
ously improve information security practices for the 
entity. 

[0015] In the method and system for an embodi- 
ment of the present invention, the information security 
characteristic or characteristics are categorized accord- 
ing to a pre-defined hierarchy of the information security 
risk levels that are associated with various information 



security characteristics and which are also indicative of 
the pre-defined levels of readiness of the entity to deal 
with a risk to the information security of the entity. Again, 
the categorization can be performed manually or auto- 

5 maticalry by the computer program running on the com- 
puter, such as a personal computer. Further, the 
categorized information security characteristic or char- 
acteristics can be weighted either manually or automat- 
ically by the computer program and recategorized 

w manually or by the computer program. 

[0016] In the method and system for an embodi- 
ment of the present invention, the categorized or 
weighted and recategorized information security char- 
acteristic or characteristics are used as the basis for an 

is assessment of the degree of business risk for the entity. 
The assessment can be performed either manually or 
automatically by the computer program. Another aspect 
for an embodiment of the present invention includes, for 
example, selection of the entity for which to evaluate the 

so information security, for example, from a unit level entity, 
a business level entity, or an organization level entity. A 
further aspect for an embodiment of the present inven- 
tion includes, for example, assigning an evaluation team 
for the selected entity. An additional aspect for an 

25 embedment of the present invention includes, for exam- 
ple, generating a recommendation for a security 
improvement based at least in part on the assessed 
degree of business risk and at least in part on the cost 
of the security improvement 

30 

BRIEF DESCRIPTION OF THE ATTACHMENTS 
[0017] 

35 Figs. 1 through 5 show a grid which illustrates an 
example of five levels of information security for the 
information security evaluation model for an 
embodiment of the present invention; and 
Fig. 6 is a flow chart which illustrates and example 

40 of the process of evaluating the information security 
infrastructure for an entity using the information 
security evaluation model grid of Figs. 1 through 5 
for an embodiment of the present invention. 

46 DETAILED DESCRIPTION OF THE INVENTION 

[0018] Referring now in detail to an embodiment of 
the present invention, an example of which is illustrated 
in the accompanying drawings, the system and method 

so for an embodiment of the present invention makes use 
of an information security evaluation model having, for 
example, five different levels with varying characteristics 
which explain where an organization is with regard to 
threats and vulnerabilities to its information security at 

55 any given point in time. The five levels of the ISEM cor- 
respond generally to how ready an organization is to 
deal with an incident, such as an intrusion into the 
organization's information system by a hacker. 
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[001 9] Rgs. 1 - 5 show a table or grid 2 which illus- 
trates an example of five levels of information security 
(IS) for the information security evaluation model 
(ISEM) for an embodiment of the present invention. 
Referring to Rgs. 1 - 5, the first level 4 of the ISEM grid 
2 is complacency, which defines an organization that is 
contented or resigned to its current environment The 
first level 4 characterizes an organization, for example, 
that is contented, satisfied, or resigned to the current 
environment. At the first level 4, existing circumstances 
are accepted with an attitude of "If it's not broken, dont 
fix it" 

[0020] In an embodiment of the present invention, 
complacency at the first level 4 of the ISEM grid 2 is 
characterized, for example, in that existing programs 
and services are perceived as sufficient Generally, sys- 
tem availability requirements are understood, and fail- 
ure to provide adequate security is viewed as an 
'operations only* issue. Some threats are known, but are 
not analyzed or understood. Protection is seen as a 
function of the physical facility, and safeguards are 
physical network components that are usually installed 
in an ad hoc manner. Information assets are not consid- 
ered as separate entities requiring security, and IS is not 
formal and consists mainly of systems administrators, 
information systems administrators, or quality assur- 
ance and/or compliance units. The requirement for 
passwords/user identifications may or may not be a 
commonplace occurrence, and directory set ups of 
"read," "write," and "share" are known but may not be 
fully understood. A help desk is used to report incidents 
with no escalation, and incidents may or may not be 
resolved. Also, at the first level 4, IS incidents are 
viewed as "someone else's problem," and IS policies 
and standards are minimal, and may or may not be doc- 
umented. 

[0021] The consequences to an organization of 
complacency at the first level 4 of the ISEM grid 2 for an 
embodiment of the present invention include, for exam- 
ple, no ownership of information or sense of awareness 
of IS. The organization is not in a state of alertness or 
readiness, and IS budgets are typically small or non- 
existent. Information owners do not exist, and responsi- 
bility and/or authorization is lacking. Information is not 
classified, and there is no relationship to business risk. 
Security incidents are not reported and tracked as such 
and are managed as crisis events. In addition, at the 
first level 4, audit controls and process and procedures 
are built around complacent characteristics. 
[0022] in an embodiment of the present invention, 
with complacency at the first level 4 of the ISEM grid 2 
for an embodiment of the present invention, the 
response of the organization to an IS incident is reac- 
tionary. For example, if someone breaks into the organ- 
ization's network or server and steals the organization's 
confidential documentation, a first level 4 or complacent 
organization initially takes a long time to determine 
whether such a break-in has indeed occurred. The 



organization may not be aware of the break-in for an 
extended period of time. When the organization finally 
learns of the break-in, it has no mechanism for reporting 
or responding to the break-in. Such an organization 

5 does not usually have any budgeted dollars with which 
to employ someone to help deal with the break-in, so it 
has a high impact on the organization. Such a reaction- 
ary response to an information security breach is 
expensive, and usually the organization's management 

w at the first level 4 over-reacts or perhaps becomes 
panic-stricken. 

[0023] Referring further to Rgs. 1 - 5, the second 
level 6 of the ISEM grid 2 for an embodiment of the 
present invention, is acknowledgment which is repre- 

75 sented by an organization whose management 
acknowledges that perhaps they need to do something 
to work in a more secure environment for IS. At the sec- 
ond level 6, change and validation of IS requirements is 
accepted, and management understands risk as it per- 

20 tains to IS. 

[0024] In an embodiment of the present invention, 
at the acknowledgment or second level 6 of the ISEM 
grid 2, some of the business people within the organiza- 
tion realize that there are risks pertaining to the organi- 

25 zation's information security and are willing to allocate 
money to try to avoid such risks. They are also willing to 
implement at least some monitoring tools or training of 
at least some of their employees for the purpose. At the 
second level 6, they are beginning to become more alert 

30 to the fact that an information security breach can hap- 
pen. 

[0025] Characteristics of the acknowledgment or 
second level 6 of the ISEM grid 2 for an embodiment of 
the present invention include, for example, a realization 

35 that a "silo" approach will not work, that a focused IS 
program and IS organization is required, and that exist- 
ing IS processes are fragmented. Additional character- 
istics of acknowledgment at the second level 6 include, 
for example a realization that information assets must 

40 be owned in a concept of "information ownership" and 
that information must be "classified" as a function of risk 
to the business unit 

[0026] Other characteristics of the acknowledgment 
or second level 6 of the ISEM grid 2 for an embodiment 

46 of the present invention include, for example, that man- 
agement is willing to allocate funds for IS products and 
systems, which is usually operations oriented at this 
level. Management also realizes that IS is needed, and 
a corporate IS officer has been assigned or is being 

so considered. While IS professionals are assigned, they 
are usually operations staff at this level. Incidents are 
still reported through a help desk, but escalations are 
refocused. IS organizations receive reports of incidents 
from the help desk as a function of the escalation chain. 

55 At the second level 6, some response teams are being 
built within the business units and the IS organization, 
and reporting of business level IS activities to senior 
management exists but is sporadic. 
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[0027] The results for an entity at the acknowledg- 
ment or second level 6 of the ISEM grid 2 for an embod- 
iment of the present invention include, for example, that 
"silos" particular to IS between groups begin to dimm- 
ish. IS requirements are mandated, but process and 5 
programs to manage them are not yet built. Ad hoc 
requests for IS status is made by management to line 
managers, pressure to make business managers more 
accountable for IS comes from the top, down, and IS 
topics begin to appear on management meeting agen- 10 
das. In addition, at the second level 6, accountability for 
information assets may be assigned to a person, and 
the level or protection required for information assets is 
considered when making decisions. 
[0028] Other results for an entity at the acknowledg- is 
ment or second level 6 of the ISEM grid 2 for an embod- 
iment of the present invention include, for example, that 
budgeted dollars are spent on high priced security tech- 
nologies, which are usually data center centric. The 
blame for incidents, system failures, or availability shifts 20 
between operations and information security providers, 
and attention to incident management increases. Addi- 
tionally, at the second level 6, end user productivity can 
be effected by IS safeguards mandated to protect cor- 
porate assets, and the organization begins to move 25 
towards an alert state, although it is not yet in a readi- 
ness state. 

[0029] Referring still further to Figs. 1- 5, the third 
level 8 of the ISEM grid 2 for an embodiment of the 
present invention is integration, in which an organ iza- 30 
tion's management takes any existing programs and 
services that are already in the organization and inte- 
grates them or penetrates them down into all levels of 
the business so they work in concert together. In an 
organization at the third level 8, IS requirements across 3S 
corporate boundaries are accepted, and threats and 
vulnerabilities are understood, as well as a requirement 
for cross functionality. 

[0030] At the integration or third level 8 of the ISEM 
grid 8, for an embodiment of the present invention, there 40 
is a state of readiness, because information security 
requirements are integrated between the levels and the 
businesses, and people know what to do and how to 
respond to an information security breach. For example, 
when an incident occurs, they know not to publicize it 45 
because publicity can cause damage to the organiza- 
tion's reputation. At the third level 8, they know to report 
the incident to the appropriate security officer, which 
has been designated beforehand. 
[0031 ] Characteristics of an organization at the irrte- so 
gration or third level 8 of the ISEM grid 2 for an embod- 
iment of the present invention include, for example, that 
management realizes that IS adds value to the organi- 
zation, and there is a general acceptance of an organi- 
zation-wide, standards based, IS infrastructure. An IS ss 
infrastructure is designed to penetrate all business enti- 
ties and levels, and a centralized corporation IS office or 
officer is established, funded, and staffed, and granted 



authority over IS matters. Senior level information own- 
ers with responsfrility are identified, and information 
assets are assigned sponsors with authority at the busi- 
ness, customer, and/or user level. At the third level 8, 
information has been and/or is being classified based 
on business risk, and an organization-wide process 
relationship exists for reporting incidents. 
[0032] Other characteristics of an organization at 
the integration or third level 8 of the ISEM grid 2 for an 
embocfiment of the present invention include, for exam- 
ple, that organization-wide process relationships exist 
for responding to incidents, for disseminating security 
alerts or threat management, and for certifying security 
products. Virus reporting is centralized, and a security 
building permit process is part of the application/product 
development Irfecycie. A process relationship exists 
between the security incident response teams, busi- 
ness incident response teams, and organization fraud 
entities, and IS vulnerability assessment tools are made 
available to the business units. At the third level 8, all 
new hire packages include an IS package and training 
schedule, IS training programs are available, and IS 
metrics are collected, analyzed, and used to make deci- 
sions. 

[0033] The results for an entity at the integration or 
third level 8 of the ISEM grid 2 for an embodiment of the 
present invention include, for example, that prod- 
ucts/applications are delivered with appropriate levels of 
security, end users can more readily identify reportable 
incidents, and mutually beneficial process relationships 
exist between the business units. IS metrics are used 
for decision making, trending, and threat management, 
IS becomes process driven, and IS is managed verti- 
cally from the top, down and horizontally or cross "silo." 
IS programs and services are being designed to meet 
corporate requirements, IS practices are mandated, 
and accountability for information assets are assigned 
to the "right people." IS vulnerability assessments are 
being incorporated in the business unit's self-assess- 
ment process, information assets are being classified 
as a function of risk, and information ownership is omni- 
present. The organization at the third level 8 is in an 
alert state and is moving towards a readiness state 
[0034] Referring again to Figs. 1 - 5, the fourth level 
10 of the ISEM grid 2 for an embocfiment of the present 
invention is common practice, which means that there 
has been a culture switch within the organization and 
that providing IS programs and services is a common 
practice of the organization. For example, it becomes a 
common practice for employees to password their work- 
stations, to turn their equipment off at night, to take IS 
precautions when traveling, to lock away confidential 
documentation. Off-site storage is provided for confi- 
dential documentation. At the third level 10, such IS 
actions become common practice. Employees think 
about IS at all times. In an organization at the third level 
10, IS requirements reach the business entity level as 
daily business procedures, IS practices are widespread 
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throughout the corporation, and IS practices become an 
habitual occurrence. 

[0035] In an organization at the fourth level 10 of 
the ISEM grid 2 for an embodiment of the present inven- 
tion, information security is a common practice. People s 
know what to do and money is budgeted for information 
security. Information security is a part of builcfing the 
organization's applications and products. The common 
practice characteristics of an organization at the fourth 
level 10 include, for example, that the integration of IS 10 
programs and services with the business unit's is com- 
plete. Management actively and visibly participates in 
the IS programs and services, the IS infrastructure is 
established, IS policy and standards are established, 
understood, and implemented, and the practice of IS is is 
considered daily. 

[0036] In an organization at the fourth level 10 of 
the ISEM grid for an embodiment of the present inven- 
tion, information classifications are based on business 
risk analysis, incident reporting is centralized and 20 
focused, business incident response teams are built 
and a process relationship exists between the business 
incident response teams and a security incident 
response team. Virus incidents are tracked and 
reported, IS metrics are available at the business level, 2s 
and business level IS officer resource allocation is opti- 
mized. At the fourth level 10, IS product certification is 
ongoing, and management meetings include IS aware- 
ness agenda items. 

[0037] The results for an organization at the com- 30 
mon practice or fourth level 10 of the ISEM grid 2 for an 
embodiment of the present invention include, for exam- 
ple, that IS is a common business practice, and there is 
consistency in IS products. IS programs and services 
are interactive, there is routine corporate wide IS report- 35 
ing, and mutually beneficial relationships exist between 
the organizational units. There is consistency in corpo- 
rate IS initiatives, IS programs and services reflect the 
organization's environment the organization under- 
stands its vulnerabilities, and virus incident trending, 40 
tracking, and reporting is available. At the fourth level 
10, the organization is in an alert state, as well as a 
readiness state. 

[0038] Referring once again to Figs. 1 - 5, the final 
or fifth level 1 2 of the ISEM grid 2 for an embodiment of 46 
the present invention is continuous improvement, in 
which an organization for which IS culture has become 
a common practice, looks continually at technologies for 
improving the security of information, and works with 
those technologies to continuously improve the IS envi- so 
ronmertt within the organization. In an organization at 
the fifth level 12, IS practices are a proven corporate 
benef it and quality state with a corresponding increase 
in productivity and value, and IS becomes a part of the 
brand. 55 
[0039] In an embodiment of the present invention, 
at the continuous improvement or fifth level 12, the 
organization is in a highly alert state with regard to IS 



and ready to deal with any incident, such as a hacker. 
When such an incident occurs, response teams are 
ready to go into place and resolve the problem. An 
organization that is at the fifth level 12 continuously 
monitors the threats to its IS out in the marketplace and 
is able to evaluate how the threats affect the organiza- 
tion and then make changes based on those threats. 
Such an organization looks at more cost-effective alter- 
natives than what it currently has in place. The organi- 
zation frequently re-classifies its information based on 
various risks, ft changes its policies and standards to 
reflect changes in technology or changes in its classifi- 
cation of information. An organization at the fifth level 1 2 
does such things relatively quickly. Implementation 
cycles are designated in Web years, which is usually 
about three months. At the fifth level 12, IS activities are 
encouraged in the organization. 
[0040] An organization at the fifth level 12 of the 
ISEM grid 2 for an embodiment of the present invention 
has IS programs and services that are planned and rou- 
tine. IS is something that happens as part of the plan- 
ning and strategic planning processes of the 
organization. The products that emanate from an organ- 
ization that reaches the continuous improvement or fifth 
level 12 are trusted products, and buyers of such prod- 
ucts know the products can be trusted. IS is considered 
part of the organization and becomes part of the culture 
of the organization. In an organization at the fifth level 
12, IS is something that people within the organization 
deal with every day, and knowledge that the organiza- 
tion gains is shared throughout the organization. 
[0041] In an organization at the fifth level 12 of the 
ISEM grid 2 for an embodiment of the present invention, 
IS program and service initiatives are at a much higher 
level and function across organizational lines. In the 
event of an IS incident the response is quick, and eve- 
ryone knows what to do, which usually results in savings 
of money to the organization. There is a mechanism in 
place for reporting incidents back to management An 
organization at the fifth level 12 is constantly alert to 
information security risks, and the organization is ready 
to handle such risks, which minimizes losses. 
[0042] Characteristics of an organization at the con- 
tinuous improvement or fifth level 12 for an embocfiment 
of the present invention include, for example, continual 
reevaluation of threats based on changing threat popu- 
lation and security incidents, and additional or more 
cost effective alternatives are continually identified. 
Information classification is continually reviewed for 
optimal risk/security benefits, IS policies and standards 
are continually reviewed for completeness and applica- 
bility, and implementation cycles are in Web years. IS 
technical research activities are encouraged to be con- 
sistent with rapidly changing environments. IS programs 
and services are planned, budgeted, and routine for 
security economics, and the organization is known for 
providing trusted products. In an organization at the fifth 
level 12, IS is considered an integral component of the 
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organization's internal controls, the practice of IS is con- 
sidered a component of the corporate culture and is 
second nature, and knowledge is shared. 
[0043] The results of the continuous improvement 
or fifth level 12 of the ISEM grid 2 for an embodiment of 
the present invention include, for example, that IS proc- 
ess improvement is continuous through program and 
service initiatives, cross level and cross functional par- 
ticipation, and the sharing of knowledge. Incidents are 
responded to with corrective actions, feedback to man- 
agement is consistent prevention strategies are imple- 
mented and continuously improved. Recovery costs are 
contained, and losses are minimized and anticipated. 
An organization at the fifth level 12 is in alert state, as 
well as a readiness state. 

[0044] Referring still again to Figs. 1 - 5, the ISEM 
for an embodiment of the present invention makes use 
of the grid 2, which includes the five levels of the ISEM, 
as well as associated process, control and facilitator 
indicator areas 14. The process, control, and facilitator 
indicator areas 14 include, for example, organizational 
environment 16, business commitment 18, policy and 
standards 20, and IS programs and services 22. The 
process and control area facilitators and indicators 14, 
such as organizational environment 16, are the features 
that determine the results, i.e. make each thing hap- 
pen, or indicate who determines the status or where 
each characteristic is at any particular time. 
[0045] In an embodiment of the present invention, 
the process, control, and facilitator indicator areas 14 of 
the ISEM grid 2 are areas within an organization that 
have some type of responsibility for information security. 
Within each process, control and facilitator indicator 
area 14 there is a definition. For example, organiza- 
tional environment 16 relates to corporate structure 24 
and responsibility and accountability 26. Business com- 
mitment 18 relates to management 28, funding 30, inci- 
dent management 32, awareness and education 34, 
operations 36, information ownership 38, and informa- 
tion classification 40. Policy and standards 20 relates to 
maintenance 42 and enforcement and measurement 
44. IS procedures and services 22 relates to prevention 
46, detection 48, and verification 50. 
[0046] Each of the five levels of the ISEM grid 2 for 
an embodiment of the present invention is documented 
and within each cell of the grid 2. For example, corpo- 
rate structure 24 at the first level 4 addresses existing 
programs and services that are perceived as sufficient 
and exist in silos, information security that is informal 
and consists mainly of systems administrators, the 
absence of a focused IS program or a relationship 
between business units and IS entities, and the 
absence of a readiness or an alert state of IS. For 
another example, responsfoilrty and accountability 26 at 
the first level 4 addresses the absence of an IS office or 
officer, the absence of ownership of IS, the view of fail- 
ure to provide adequate IS as only an operations or 
technology issue, and the view of IS incidents as some- 



one else's problem. 

[0047] In an embodiment of the present invention, 
the ISEM grid 2 for an embodiment of the present inven- 
tion takes all of the characteristics and puts them into 

5 the proper cell for the analysis and evaluation of the IS 
of an organization and does it for each process area 
within the organization. The ISEM grid 2 for an embodi- 
ment of the present invention can be used with a tool set 
on a qualitative basis without weighting, but weighting 

w can serve to quantitatively define or refine the process - 
somewhat. 

[0048] In a weighting aspect of an embodiment of 
the present invention, the ISEM grid 2 is used to weight 
and score information security by viewing each charac- 

75 teristic within a cell and weighting it as to its importance 
in the particular level and computing a score. An organ- 
ization cannot graduate from one level to the next level 
until it reaches a certain score. The weighting process is 
an aspect of the present invention, and the calculation 

20 of the level of IS is consistent, regardless of the particu- 
lar tool set that is used to evaluate the cells or evaluate 
their levels by using, for example, a decision tree or a 
cumulative process. A tool set is used by an organiza- 
tion to determine the particular level at which the organ - 

25 ization stands. The characteristics within each level of 
the model can be weighted and the results scored using 
the tool set to identify the level at which the organization 
stands. 

[0049] In an embodiment of the present invention, 
30 the resulting score is used by business managers within 
the organization to make a decision with regard to 
whether they are satisfied with the particular level at 
which the organization stands in respect to IS in light of 
the risk to the business of the organization, ff the busi- 
es ness managers within the organization find the busi- 
ness risk unacceptable, they can elect to determine, for 
example, the technology steps necessary to be taken to 
move to a higher level on the ISEM grid 2 and the costs 
associated with such steps. If the business risk justifies 
40 the costs, appropriate procedures can be implemented 
to move to a higher level on the ISEM grid 2. 
[0050] Fig. 6 is a flow chart which illustrates an 
example of the process of evaluating an entity's IS infra- 
structure using the ISEM grid 2 for an embodiment of 
45 the present invention. Referring to Fig. 6, at S1 , a selec- 
tion is made for the particular entity for which IS to be 
evaluated. The selected entity can be, for example, a 
unit level, a business level or the organization level. At 
S2, an ISEM certified evaluation team is assigned. At 
so S3, the IS resources of the selected entity are identified 
from pre-defined indicators, for example, from each 
process, control, and facilitator indicator area of the 
entity, such as organizational environment 16, business 
commitment 18, policy and standards 20, and IS pro- 
55 grams and services 22. 

[0051 ] Referring further to Fig. 6, at S4, information 
is received that relates to security characteristics, for 
example, for each identified IS resource For example, 
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questions concerning the security characteristics of 
each identified IS resource are considered and 
answered, which relate to the levels on the ISEM grid 2 
and where the entity stands on the ISEM grid 2. For the 
organization to be, for example, at the first level 4, it 
must meet certain criteria. 

[0052] In order to get to the security characteristics, 
for example, for the first level 4 of the ISEM grid 2 for an 
embodiment of the present invention, it is necessary to 
pose and answer questions about the identified IS 
resources, such as whether existing IS programs are 
perceived as sufficient whether IS is informal and con- 
sists mainly of systems administrators, whether a 
focused IS program exists, whether a relationship exists 
between business units and IS entities, whether an IS 
office or officer exists, and the like. The questions can 
be posed in any number of ways to get to the security 
characteristics, and the yes or no answers to the ques- 
tions provide the information that determines the level 
on the ISEM grid 2 at which the entity stands. 
[0053] Referring again to Fig. 6, at 85, the informa- 
tion about the IS characteristics of the entity is compiled 
and categorized according to a predefined hierarchy of 
IS characteristics, such as the five levels of the ISEM 
grid 2. While the compilation and categorization of the 
IS characteristics can be performed manually, an aspect 
of an embodiment of the present invention makes use of 
a computer software application or program referred to 
as the ISEM tool set or tool kit running, for example, on 
a personal computer (PC). The ISEM tool kit is used to 
perform evaluations by the automated software applica- 
tion by process, control, and facilitator indicator area 14. 
The ISEM tool kit automatically compiles and catego- 
rizes the results for each cell of the ISEM grid 2. 
[0054] In an additional aspect for an embodiment of 
the present invention, after posing and answering all of 
the questions, at S5, the ISEM tool kit optionally per- 
forms weighting, recompiles the weighted results, and 
automatically determines the level within the ISIM grid 2 
where the entity stands. The ISEM tool optionally com- 
piles, enters and weights the results. At S6, the com- 
piled and categorized results are presented to a 
management team for the entity, which assesses the 
results to determine whether, for example, the entity, is 
operating at a level on the ISEM grid 2 which meets the 
entity's IS needs, based on business determined risks. 
At S7, a recommendation is made by the management 
team, based on its assessment of the compiled and cat- 
egorized results according to the ISEM grid 2 and the 
costs of IS program adjustments, if applicable. 
[0055] An embodiment of the present invention 
identifies threats and vulnerabilities or the risk state of 
an organization's information and enables the organiza- 
tion to develop an effective IS infrastructure. An embod- 
iment of the present invention defines a set of controls 
for assessing and compensating for vulnerabilities in 
each organizational component, such as technology, 
business process, and the like. An embodiment of the 



present invention also provides a means for defining 
and classifying the degree of risk associated with infor- 
mation assets, where risk is defined as the economic 
value or degree of worth of an information asset and/or 

5 the economic exposure and/or reputational impact to 
the organization. Further, an embodiment of the present 
invention assists the organization in determining the 
nature of threats and exploiting vulnerabilities, provides 
tools for impact assessment and analysis, and recom- 

10 mends solutions. 

[Q056] Although the invention has been described 
with reference to these preferred embodiments, other 
embodiments can achieve the same results, various 
modifications of the present invention will be apparent 

75 to one skilled in the art, and the above disclosure is 
intended to cover an such modifications. Accordingly, 
the invention is limited only by the following claims. 

Claims 

20 

1 . A method for evaluating information security for an 
entity, comprising: 

identifying at least one information security 

25 resource related to an information security area 

of the entity selected from a group consisting of 
an organizational environment' area, a busi- 
ness commitment area, a policy and standards 
area, and an information security programs 

30 and services area of the entity; 

receiving information about at least one infor- 
mation security characteristic for the identified 
information security resource; 
categorizing the information security character- 

35 istic according to a pre-defined hierarchy of 

information security risk levels associated with 
information security characteristics; and 
assessing a degree of business risk for the 
entity based on the categorization of the infor- 

40 mation security characteristic. 

2. The method of claim 1 , wherein identifying the infor- 
mation security resource further comprises identify- 
ing the information security resource from one of a 

45 corporate structure resource and a responsibility 
and accountability resource related to the organiza- 
tional environment area of the entity. 

3. The method of claim 1 , wherein identifying the infor- 
50 mation security resource further comprises identify- 
ing the information security resource selected from 
a group consisting of a management resource, a 
funding resource, an incident management 
resource, an awareness and education resource, 

55 an operations resource, an information ownership 
resource, and an information classification 
resource related to the business commitment area 
of the entity. 
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4. The method of claim 1 , wherein identifying the infor- 
mation security resource further comprises identify- 
ing the information security resource from one of an 
existence and maintenance resource and an 
enforcement and measurement resource related to 
the policy and standards area of the entity. 

5. The method of claim 1 , wherein identifying the infor- 
mation security resource further comprises identify- 
ing the information security resource selected from 
a group consisting of a prevention resource, a 
detection resource, and a verification resource 
related to the information security programs and 
services area of the entity. 

6. Trie method of claim 1 , wherein identifying the infor- 
mation security resource further comprises receiv- 
ing a selection of the identified information security 
resource on a computer program. 

7. The method of claim 1 , wherein receiving the infor- 
mation further comprises receiving the information 
about the security characteristic for the identified 
information security resource which is indicative of 
a pre-defined risk level for the information security 
of the entity. 

8. Trie method of claim 7, wherein receiving the infor- 
mation indicative of the pre-defined risk level further 
comprises receiving the information indicative of a 
pre-defined level of readiness of the entity to deal 
with a risk to the information security of the entity 
selected from a group consisting of a complacent 
level of readiness, an acknowledgment level of 
readiness, an integration level of readiness, a com- 
mon practice level of readiness, and a continuous 
improvement level of readiness of the entity. 

9. The method of claim 8, wherein receiving the infor- 
mation indicative of the pre-defined level of readi- 
ness further comprises receiving the information 
indicative of the complacent level of readiness 
which indicates a propensity of the entity to resigna- 
tion to a current information security environment of 
the entity. 

10. The method of claim 8, wherein receiving the infor- 
mation indicative of the pre-defined level of readi- 
ness further comprises receiving the information 
indicative of the acknowledgment level of readiness 
which indicates a propensity of the entity to 
acknowledgment of a need to improve the informa- 
tion security of the entity. 

11. The method of claim 8, wherein receiving the infor- 
mation indicative of the pre-defined level of readi- 
ness further comprises receiving the information 
indicative of the integration level of readiness which 



indicates a propensity of the entity to integrate 
existing information security programs and services 
of the entity. 

5 12. The method of claim 8, wherein receiving the infor- 
mation indicative of the pre-defined level of readi- 
ness further comprises receiving the information 
indicative of the common practice level of readiness 
which indicates a propensity of the entity to custom- 

io arily practice information security procedures for 
the entity. 

13. The method of claim 8, wherein receiving the infor- 
mation indicative of the pre-defined level of readi- 
es ness further comprises receiving the information 

indicative of the continuous improvement level of 
readiness indicative of a propensity of the entity to 
continuously improve information security practices 
for the entity. 

20 

14. The method of claim 1 , wherein receiving the infor- 
mation further comprises receiving the information 
at a computer. 

25 15. The method of claim 1, wherein categorizing the 
information security characteristic further com- 
prises categorizing the information security charac- 
teristic according to a pre-defined risk level for the 
information security of the entity. 

30 

16. The method of claim 15, wherein categorizing the 
information security characteristic according to the 
pre-defined risk level further comprises categoriz- 
ing the information security characteristic according 

35 to a pre-defined level of readiness of the entity to 
deal with a risk to the information security of the 
entity selected from a group consisting of a compla- 
cent level of readiness, an acknowledgment level of 
readiness, an integration level of readiness, a com- 
40 mon practice level of readiness, and a continuous 
improvement level of readiness. 

17. The method of claim 16, wherein categorizing the 
information security characteristic according to the 

45 pre-defined level of readiness further comprises 
categorizing the information security characteristic 
according to the complacent level of readiness 
indicative of a propensity of the entity to resignation 
to a current information security environment of the 
so entity. 

18. The method of claim 16, wherein categorizing the 
information security characteristic according to the 
pre-defined level of readiness further comprises 

55 categorizing the information security characteristic 
according to the acknowledgment level of readi- 
ness indicative of a propensity of the entity to 
acknowledge a need to improve the information 
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security of the entity. 

19. The method of claim 16, wherein categorizing the 
information security characteristic according to the 
pre-defined level of readiness further comprises s 
categorizing the information security characteristic 
according to the integration degree of readiness 
indicative of a propensity of the entity to integrate 
existing information security programs and services 

of the entity. w 

20. The method of claim 16, wherein categorizing the 
information security characteristic according to the 
pre-defined level of readiness further comprises 
categorizing the information security characteristic is 
according to the common practice level of readi- 
ness indicative of a predisposition of the entity to 
customarily practice information security proce- 
dures for the entity. 

20 

21. The method of claim 16, wherein categorizing the 
information security characteristic according to the 
pre-defined level of readiness further comprises 
categorizing the information security characteristic 
according to the continuous improvement level of 25 
readiness indicative of a propensity of the entity to 
continuously improve information security practices 

for the entity. 

22. The method of claim 1, wherein categorizing the 30 
information security characteristic further com- 
prises categorizing the information security charac- 
teristic by a computer pro-am. 

23. The method of claim 22, wherein categorizing the 35 
information security characteristic further com- 
prises weighting the categorized information secu- 
rity characteristic. 

24. The method of claim 23. wherein weighting the cat- 40 
egorized information security characteristic further 
comprises automatically weighting the categorized 
information security characteristic by a computer 
program. 

45 

25. The method of claim 24, wherein weighting the cat- 
egorized information security characteristic further 
comprise recategorizing the weighted information 
security characteristic. 

50 

26. The method of claim 25, wherein recategorizing the 
weighted information security characteristic further 
comprises automatically recategorizing the 
weighted information security characteristic by a 
computer program. ss 

27. The method of claim 1, wherein assessing the 
degree of business risk further comprises assess- 



ing the degree of business risk based on the cate- 
gorization of the information security characteristic 
according to a pre-defined risk level for the informa- 
tion security of the entity. 

2a The method of claim 27, wherein assessing the 
business risk based on the categorization of the 
information security characteristic further com- 
prises assessing the business risk based on the 
categorization of the information security character- 
istic according to a predefined level of readiness of 
the entity to deal with a risk to the information secu- 
rity of the entity selected from a group consisting of 
a complacent level of readiness, an acknowledg- 
ment level of readiness, an integration level of read- 
iness, a common practice level of readiness, and a 
continuous improvement level of readiness. 

29. The method of claim 28, wherein assessing the 
business risk further comprises assessing the busi- 
ness risk based on the categorization of the infor- 
mation security characteristic according to the 
complacent level of readiness indicative of a pro- 
pensity of the entity to resignation to a current infor- 
mation security environment of the entity. 

3a The method of claim 28, wherein assessing the 
business risk further comprises assessing the busi- 
ness risk based on the categorization of the infor- 
mation security characteristic according to the 
acknowledgment level of readiness indicative of a 
propensity of the entity to acknowledge a need to 
improve the information security of the entity. 

31. The method of claim 28, wherein assessing the 
business risk further comprises assessing the busi- 
ness risk based on the categorization of the infor- 
mation security characteristic according to the 
integration level of readiness indicative of a propen- 
sity of the entity to integrate existing information 
security programs and services of the entity. 

32. The method of claim 28, wherein assessing the 
business risk further comprises assessing the busi- 
ness risk based on the categorization of the infor- 
mation security characteristic according to the 
common practice level of readiness indicative of a 
propensity of the entity to customarily practice infor- 
mation security procedures for the entity. 

33. The method of claim 28, wherein assessing the 
business risk further comprises assessing the busi- 
ness risk based on the categorization of the infor- 
mation security characteristic according to the 
continuous improvement level of readiness indica- 
tive of a propensity of the entity to continuously 
improve information security practices for the entity. 
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34. The method of claim 1 , wherein assessing the busi- 
ness risk further comprises automatically assess- 
ing the business risk by a computer program. 

35. The method of claim 1 , further comprising selecting 
the entity for which to evaluate the information 
security. 

36. The method of claim 35, wherein selecting the 
entity further comprises selecting the entity from 
one of a unit level entity, a business level entity, and 
an organization level entity. 

37. The method of claim 1 , further comprises assigning 
an evaluation team for the selected entity. 

38. The method of claim 1 , further comprising generat- 
ing a recommendation for a security improvement 
related to the information security characteristic 
based at least in part on the assessed degree of 
business risk. 

39. The method of claim 38. wherein generating the 
recommendation further comprises generating the 
recommendation for the security improvement 
based at least in part on the cost of the security 
improvement. 

40. The method of claim 39, wherein generating the 
recommendation further comprises automatically 
generating the recommendation by a computer pro- 
gram. 

41. A system for evaluating information security for an 
entity, comprising: 

means for identifying at least one information 
security resource related to an information 
security area of the entity selected from a 
group of security areas consisting of an organ- 
izational environment area, a business commit- 
ment area, a policy and standards area, and an 
information security programs and services 
area of the entity; 

means associated with the identifying means 
for receiving information about at least one 
information security characteristic for the iden- 
tified information security resource; 
means communicating with the receiving 
means for categorizing the information security 
characteristic according to a pre-defined hier- 
archy of information security risk levels associ- 
ated with information security characteristics; 
and 

means associated with the categorizing means 
for assessing a degree of business risk for the 
entity based on the categorization of the infor- 
mation security characteristic. 



42. The system of claim 41, wherein the identifying 
means further comprises means for receiving a 
selection of the identified security information 
resource. 

s 

43. The system of claim 42, wherein in the means for 
receiving the selection further comprises a compu- 
ter program. 

10 44. The system of claim 41, wherein the means for 
receiving the information further comprises a com- 
puter program. 

45. The system of claim 41 , wherein the means for cat- 
is egorizing the information security characteristic fur- 
ther comprises an information security evaluation 
model grid. 

46. The system of claim 41 , wherein the means for cat- 
20 egorizing the information security characteristic fur- 
ther comprises a computer program. 

47. The system of claim 41, wherein the means for 
assessing the degree of business risk further com- 

25 prises an information security evaluation model 
grid. 

48. The system of claim 41, wherein the means for 
assessing the degree of business risk further com- 

30 prises a computer program. 



35 



40 



45 



50 



55 



11 



EP 0999 489 A2 




12 



EP 0999 489 A2 




EP0 999 489 A2 



n 




Level 5 
Continous Improvement 




IS 

11 

j 

i 

it 
JIT 

is: 


a 

s 
s 

2 
B 

f 

at 


s 

ta 

1 

ig 

1 

li 
il 


!! 

I| 

j!l 

ess 


ill! 

ill!,! 

s 2 alii 
ll?? 1 ? 


5! 
HI 

Ill 

hi 


i 

M 

s 
I 

1 


1 

5 

! 
i 


iii 
111 

Jit 


1 

3 

.a 

1 
| 

I 

i 


Jj 

i 

!i 

M 

n 


ji 
1 

! 
il 


o 




w 

2 

-5 

O 

u 




J! 

41 

I! 
li 

5* 

H\ 
i » 1 

fl? 


I 

h 
II 

si 


Is 

III 
"1 

ac A » 
|*| 


S 

m 

i 
3 

! 

li 
si 


9 

i 

.5 

i 
1 


i! 

hi 

Hi 
ill 

|!f 

[if 


! 

i 
1 
5 
J9 
s 

I 


a 

.a . 

11 

s : 
5S 
11 

ii 
If 


i 
|| 

?! 

ii 


I 

ill 

J i 

2 s I 

8*3 

Hi 


i 
I 

s . 

!i 

fl 

I? 
ii 

j: 


ii 
ii 

1 
HI 


QO 




e 

."5 £ 

It 01 
B 




!> 
II 

I! 

111 


If 
1 

II 
11 


a 

s 

3 
& 

X 

a 

!i 
il 

a S 


i 

.a 

I 

I 

1 

1 


S 

1 
& 
3 

B 

a 

1 

3 

ii 
If 


hi 

Jl a - 

I! 

!ii 

m 


i 

? 

i 

J! 

ii 


a . 

ii 
f! 

15 

M 

i 

ii 


ii 

If 

11 

i- 

!! 
It 

ii 


"ri 

18 -p 
is | 

a d ; 2 

ill 
Ills 


si 

1 

III 

at 


| 
a 

1 

h 

ii 
II 






C 

I 

m a 




li 

ii 

II 

« S E 


il 

PI 
ill 

Jit 


II 

I 3 
I 3 

l l 

I* 

J* 
S5 

ill 


i 

5 

1 

Is 

El 


>» 
3 

II 

1 

i 

M 


1 
I 

** 

s, 

?i 


1 

5 
S 
1 

ii 

S3 

5 • 

51 

M 
«i 


i 

ii 
ii 

1 B-» 

* 8 a 

til 


i 

J! s 
1* 

i 

i! 


I 

lilt 
{iff 

a fi | 3 


i 

! 

!! 

S. : 


!! 

|! 

ii 

sis 
ill 


-<» 




>< 

o 

- 5 

<U CL 

J E 
o 

O 




o 

1 

8 

I 
I 
•1 


.a 

M ■ 

H 

1 
1 


! 

5 

i 

8 

c 

L 

1! 


\ 

s 

Si- 


5 
» 

i 


a 

2 JJ 

IS 

i! 

1.1 

[] 

M 

< 6 


I 

i 
i 

8 

I! 


i 
5 

A 

i 

3 

ii 

si 

li 


5 

!« 

IS 

*I 
11 


s! ' 
if 

S3 
c a 

ft 

li 


9 

V . 

if 
&i 

if 

S 8 

ii 


it 
a 
a 
| 

£ 

I 

| 

a „ 

i; 

i! 






3 B 

2§ 

< 8 

si 

1 £ 
O 2 

11 
a, «»• 


c 
o 
U 

e 
•» 
E 

! 

o 
u 

3 

c 

1 

03 




I 

|I 

I s 

n 
ii- 


J 

1 

ii 


X 

5 




1 

1 

J— 


-5 

!• 

> 



14 



EP0999489A2 




15 



EP 0999 489 A2 




16 



EP0 999 489 A2 



Select Entity Level for IS Evaluation 


- SI 






Assign IS Evaluation Team for Selected Entity. 


- S2 






Identify IS Resources of Selected Entity From Predefined Indicators From 
Each Process, Control, and Facilitator Areas of Selected Entity 


- S3 


1 




Receive Information Related to Security Characteristics for Each Identified IS 

Resource 


- S4 


1 
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